DSA-2067-1 mahara -- severalID: oval:org.secpod.oval:def:600139 | Date: (C)2011-01-28 (M)2022-10-10 |
Class: PATCH | Family: unix |
Several vulnerabilities were discovered in mahara, an electronic portfolio, weblog, and resume builder. The following Common Vulnerabilities and Exposures project ids identify them: CVE-2010-1667 Multiple pages performed insufficient input sanitising, making them vulnerable to cross-site scripting attacks. CVE-2010-1668 Multiple forms lacked protection against cross-site request forgery attacks, therefore making them vulnerable. CVE-2010-1670 Gregor Anzelj discovered that it was possible to accidentally configure an installation of mahara that allows access to another user"s account without a password. CVE-2010-2479 Certain Internet Explorer-specific cross-site scripting vulnerabilities were discovered in HTML Purifier, of which a copy is included in the mahara package. For the stable distribution , the problems have been fixed in version 1.0.4-4+lenny6. For the testing distribution , the problems will be fixed soon. For the unstable distribution , the problems have been fixed in version 1.2.5. We recommend that you upgrade your mahara packages.